Reputation: 20991
Unexplainable invalid HTTP_HOST errors in django/nginx
I'm regularly seeing very odd INVALID_HOST errors in django. The website domain (which will be known as example.com from here on out) is the only thing that nginx passes on to django. example.com is in the django.conf.settings.ALLOWED_HOSTS. Everything else goes straight to nginx's 404. Here's the relevant lines in my config:
server { return 404; }
upstream django {
server 127.0.0.1:3033;
}
server {
listen 80;
server_name classes.example.com;
return 302 https://example.com/classes/;
}
server {
listen 80;
server_name *.example.com example.com;
return 302 https://example.com$request_uri;
}
server {
if ($host ~* "^classes.example.com$") {
rewrite ^.*(?=\/)(.+)$ https://example.com/classes/ permanent;
break;
}
listen 443;
root /home/django/example.com;
server_name *.example.com example.com;
# here are static files/ irrelevant code
location / {
uwsgi_pass django;
include uwsgi_params;
}
}
To me this says that I should never see the following message emailed to me.
SuspiciousOperation: Invalid HTTP_HOST header (you may need to set ALLOWED_HOSTS): someotherdomainname.tld
However I receive 4 or five of these a day via the standard django error logger. The someotherdomain.tld can be *.example.com (the wild card of my server), the server's ip address, or random things like device-metrics-us-2.amazon.com:443 or data.flurry.com to name a few. To make matters even more confusing, I can go to the server IP address or whatever.example.com and I get the nginx 404 screen with no error email (the expected behavior).
I am fairly certain that this is caused by the fact that if you log into our public wifi at the company the site is for you have to sign in as a guest and then it redirects you to our website (annoying but the CEO insists...). The errors are harmless and no one has ever reported seeing the django error page when they try to go to amazon.com or anything like that. I'm just stumped as to how it is even possible considering my nginx config.
Upvotes: 2
Views: 855
Answers (1)
Reputation: 174614
Assuming you have configured django correctly (ALLOWED_HOSTS); then it could be someone is simply spoofing headers. Host spoofing is a common tactic to check for vulnerabilities.
You can prevent these entirely by denying anything other than what your server is responsible for:
if ($host !~* ^(example.com|classes.example.com|www.example.com)$) {
return 444;
}
Upvotes: 1
Related Questions
- How to fix Django error: DisallowedHost at / Invalid HTTP_HOST header: ... You may need to add ... to ALLOWED_HOSTS
- Django ERROR (EXTERNAL IP): Invalid HTTP_HOST header: '*.domain.com'
- Django Invalid http_host
- "Invalid HTTP_HOST header" from unknown domain
- Avoiding Django's 500 error for not allowed host with Nginx
- HTTP_HOST error with Django
- Why is Django sending me Invalid HTTP_HOST header with my server IP?
- Mis-setting django's ALLOWED_HOSTS setting does not give understandable errors
- Django errors about HTTP_HOST from domain an extra dot after it
- django's ALLOWED_HOSTS throws error 500?